Illicit npm packages deploy new OtterCookie malware variant

Nearly 200 nefarious npm packages, which have raked in over 31,000 total downloads, have been leveraged by North Korean hackers to facilitate the distribution of a new OtterCookie malware variant that features BeaverTail capabilities as part of the Contagious Interview attack campaign, reports The Hacker News. Installation of the malicious packages including bcryptjs-node, node-tailwind, session-keeper, and webpack-loadcss prompts a connection with a hardcoded Vercel URL and the retrieval of the updated OtterCookie malware, which bypasses virtual machines and sandboxes before providing a remote shell and enabling clipboard content theft, keystroke logging, and browser credential and cryptocurrency wallet data theft, according to a Socket analysis. "This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows," said Socket researcher Kirill Boychenko. Such findings follow North Korean hackers' reported distribution of GolangGhost malware, also known as FlexibleFerret or WeaselStore, through ClickFix-inspired instructions.